“Eleventh Hour” would seem to imply that this is a last minute option. I would not rely on this book as a last ditch option if you haven’t studied. It’s a reviewers dream (or nightmare): an embarrassment of riches in terms of errors. But I should keep this review to a reasonable size, so I’ll only mention a few illustrative goofs.

Chapter one addresses security management. The coverage of risk management is superficial, facile, and disjointed. The author adds extra factors into the CBK (Common Body of Knowledge). He stresses ”return on investment” without addressing the controversy over whether ”return on security investment” actually exists. There are some references based on the NIST (US National Institute of Standards and Technology) which are good, but insufficient. Each chapter ends with a list of the “Top Five Toughest Questions” for that domain. Usually one (20%) is flatly wrong, and the rest address trivia, missing the concepts and ramifications which are the real objectives of the CISSP examination.

Chapter two looks at access control. No, integrity concerns are not limited to authorization issues. “Counter-based synchronous dynamic token” makes no sense: both counter and dynamic obviate the need for synchronization. No, most keyboard dynamics systems would not measure pressure. In regard to cryptography, in chapter three, yes, CBC (Cipher Block Chaining) would propagate errors, which is why it is only used with self-correcting algorithms (which DES – Data Encryption Standard – is). And, yes, using ECB (Electronic Code Book) identical data blocks produce identical cipher blocks, but similar data blocks produce vastly dissimilar cipher blocks. (That is part of the measure of a good cipher algorithm.) Chapter five deals with physical security. If you can still find a soda/acid extinguisher don’t try to use it on burning liquids: it doesn’t produce much foam, mostly a simple stream of water. And merely because a CRT (Cathode Ray Tube) is analogue does not mean it is incompatible with digital devices such as CCD (Charge Coupled Device) cameras: until I got my first laptop, all the monitors for my (digital) computers were CRTs. Respecting architecture (chapter five), “open systems” refers to the use of standard protocols, not parts. TOC/TOU (Time Of Check vs Time Of Use) is not a race condition, and does not require a change of state. Polyinstantiation is not related to entity integrity. Chapter six reviews Business Continuity Planning: RPO (Recovery Point Objective) is the minimal level of operation the business needs to function, not the time taken to get there, and a hot site is not a mirror.

Studying telecommunications? It is the domain with the largest mass of information, and chapter seven is pathetically small: there is no mention of topologies, telephony, routing, and details of the protocols are scant to the point of being non-existent. The OSI (Open Systems Interconnection) model is a model, not a network protocol (although there is, also, an OSI suite of protocols), and can therefore be used to analyze any protocol suite. Neither ATM (Asynchronous Transfer Mode) nor Ethernet are restricted to the physical (which, in any case, does not deal with data, but with signals).

Chapter eight takes a stab at applications security. SDL (System Life Cycle) is not identical to SDLC (System Development Life Cycle) but contains it. The explanations in this domain are particularly poor, even by the low standards of this work. Similarly, the material on operations security, in chapter nine, is more random than in other chapters, and duplicates more content found elsewhere.

I was surprised to find that chapter ten, on law and investigations, wasn’t all that bad. There are still plenty of errors (no, only one of the four points given is one of the seven basics of the European Directives on privacy), but many of the base concepts are there, and presented reasonably. There is, however, almost nothing on management of investigations, and incident response isn’t even mentioned.

There are at least a dozen other options I’ve reviewed at http://victoria.tc.ca/techrev/mnbkscci.htm, and this actually isn’t the worst. But maybe I was a bit too hard at the beginning. You could use this book for a bit of last minute studying. If you can find at least one error per page, you are in good shape to write the exam.